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(54) A method of and an apparatus for generating internal crypto-keys 



(57) To provide a method of generating Internal 
CTypto-keys to be set initially in a feec&ack-shift-regis- 
ters of a pseudo-random-sequence generator of a 
stream cipher system with sufficient security and suffi- 
ciently high speed as well, the method comprises: a 
step of outputting m sets of first conversion results, 
obtaining /-th set of the first conversion results by 
processing (/ - 1)-th set of the first conversion results 
with a first one-way-function; a step of outputting m sets 
of second conversion results; obtaining /'-th set of the 
second conversion results by processing (/ • 1)-tii sets 
of the second conversion results with a second one-way 
function; and a step of outputting y'-th internal crypto-key 
by XORing ;-th set of the first conversion results and {m 
- j + 1)-th set of the second conversion results. 
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Description 

[0001] The present invention relates to a method of 
and an apparatus for generating internal crypto-keys 
which are used as inittat values to be set in feedback s 
registers of an pseudo-random-sequence generator for 
generating pseudo-random-numbers to be XORed 
(added according to exclusive OR logic) onto a data 
sequence recorded in a recording medium or to be 
transmitted in a communication system, for preventing a io 
third party from tapping the data sequence without per- 
mission. 

[0002] Cryptography called secret-key-cryptography 
can be classified into two types, cryptography called 
block ciphers and cryptography called stream ciphers, is 
In the former cryptography, data of a fixed length, 64 
bits, for example, called the plain text is transformed into 
a data block called the cipher text according to a certain 
transformation algorithm. On the other hand, a 
sequence of pseudo-random-numbers called the key- 20 
stream is XORed onto a data stream called the plain 
text stream to be converted into a dpher-stream. 
[0003] As a method of generating a pseudo-random- 
sequence which is cryptographically secure, there is 
known a method making use of a one-way function such 25 
as a public-key-cryptograph function. Here, the one-way 
function means a function / (x) which can be easily cal- 
culated from a variable x, but it is hardly possible to esti- 
n^te the variable x from an output of the function / (x). 
[0004] FIG. 5 is a block diagram illustrating a conf tgu- 30 
ration example of a conventional pseudo-randonv 
sequence generator which generates the cryptographi- 
cally secure pseudo-random-sequence. 
[0005] Referring to FtG.5, an external key-data of n- 
bits is supplied to a first input terminal 405. A one-way ss 
function circuit 101 outputs an n-bit conversion result by 
processing /)-bit output of a selector 201 with a certain 
one-way function (such as a public key function) accord- 
ing to a certain conversion parameter (such as a public 
key) supplied to a second input terminal 104. The LSB 40 
(Least Significant Bit) of the conversion result is output 
from an output terminal 508 as a bit of the pseudo-ran- 
dom-sequence. 

[0006] With each clock pulse CLK supplied from a 
clock terminat 21 0, a register 202 outputs registered n- 4s 
bit data to the selector 201 and newly registers the n-bit 
conversion result of the one-way function circuit 101 . 
[0007] Only when the clock putse CLK is supplied for 
the first to the register 202, a selection signal SEL sup- 
plied to the selector 210 through a selection terminal so 
21 1 is set at logic '0' for controling the selector 201 to 
output the external key-data supplied from the first input 
terminal 405 to the one-way function circuit 101, and 
afterwards the selection signal SEL is turned to logic '1' 
so that the selector is controlled to select the output of ss 
the register 202 to be fed-back to the one-way function 
circuit 101. 

[0008] Thus, the pseudo-random-sequence is output 



bit-by-bit from the output terminal 508 in synchroniza- 
tion with the dock pulse CLK. 
[0009] The pseudo-random-sequence generator of 
FIG.5 is known to be cryptographically secure. How- 
ever, calculation of the one-way function takes compar- 
atively long time. 

[001 0] Therefore, a pseudo-random-sequence gener- 
ator consisting of a combination of several linear feed- 
back-sift-f agisters or nonlinear feedback-shift-registers 
is generally used for generating the key-stream of the 
stream cipher, when a high speed is required, having 
such configuration as illustrated in a tDlock diagram of 
FIG. 6. 

[001 1 ] In the pseudo-random-sequence generator of 
FIG. 6, there are conprised linear feedback-sift-regis- 
ters or nonlinear feedback-shift-registers (hereinafter 
genericalty called the feedback-shift-registers) S^ to S^. 
To each of the feedback-shrft-registers, working as a 
sub-generator, an internal key K^ to K^ is set initially. At 
each clock, each of the feedback-shift-resisters is 
shifted by one bit outputting its LSB to a combination 
function F, and its MSB (Most Significant Bit) is gener- 
ated according to a certain feedback function from its 
registered bit sequence. The combination function F 
generates a key-stream bit by bit according to a certain 
combination function from outputs of the feedback-shift- 
registers S-, to Srt- 

[0012] However, the key-stream generated making 
use of feedback-shfft-registers, such as illustrated in 
FIG. 6. may sometimes be broken by a deciphering 
method called con-elation attacks. So, various kinds of 
devices has been studied, whereof some examples are 
described in " Applied Cryptography, Second Edition: 
Protocols, Algorithms, and Source Code in C." by Bruce 
Schneier, published by John Wiley & Sons, Inc., 1996, 
and as to the correlation attacks, there is an explanation 
in "Con'elation-lmmunity of Nonlinear Combining Func- 
tions for Cryptographic Apptications" by T. Siegenthaler, 
IEEE Transactions on Informatkjn Theory, Vol IT-30, 
No. 5. 1984, for example. However, desaiption of 
details of the pseudo-random-sequence generator itself 
or the congelation attacks is omitted, here. 
[0013] In any way, to be sufficiently robust against 
cryptographic analysis such as the correlation attacks, 
sufficient numbers of suffteiently long-bit feedback-shift- 
registers shoukj be used for generating the key-stream, 
which requires numbers of internal keys to be set to the 
feedback-shift-registors as their initial values. 
[001 4] On the other hand, bit-length of a secret crypto- 
key is usually limited practically, such as 64 bits, for 
example. Therefore, it is inrportant for the pseudo-ran- 
dom-sequence generator consisting of feedback-shift- 
registers how to securely generate numbers of internal 
keys to be set thereto, from a secret-key given from 
external (hereinafter called the external key). 
[0015] As above mentioned, one or some internal 
keys may be estimated by the correlatkm attacks. 
Hence, when the internal keys are generated from a sin- 
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gle external key witboLrt sufficient care, all the Interral 
keys rnay be easily estimated based on the broken 
internal keys. 

[001 6] Cryptographicalty secure internal keys may be 
obtained making use of a one-way function in the same s 
way with generating the pseudo-random-sequence 
itself, tiy the pseudo-random-sequence generator of 
FIG. 5. for example. However, a demerit of obtaining the 
internal keys by way of the one-way function lies in that 
it takes too long time even for generating the internal io 
keys once at the beginning of a cipher-stream. 
Because, the pseudo-random^equence generator can- 
not but generate the pseudo-random-numbers bit by bit 
Therefore, nx m clocks should be needed for generat- 
ing n sets of internal keys of m bits, for example, and the is 
clock frequency cannot be made highi because of com- 
paratively long calculation time of the one-way function. 
[0017] Therefore, a primary object of the present 
invention is to provide a method of and an apparatus for 
generating internal crypto-keys to be set initially in the 20 
feectoack-shifl-registers of a pseudo-random-sequence 
generator of the stream cipher system, with sufficient 
security and sufficiently high speed as well. 
[0018] In order to achieve the object a method 
according to the invention of generating internal crypto- zs 
keys from an externa) key comprises: 

a step of outputting m sets of first conversion 
results, each /-th of the m sets of first conversion 
results being obtained by processing an (/ • 1 )-th of so 
the m sets of first conversion results with a first non- 
linear function and first of the m sets of first conver- 
sion results being obtained by processing a first 
part of the external key with the first nonlinear func- 
tion, m being a positive integer more than one, / 3S 
being a positive integer more than one and not 
vnore than m, and the first nonlinear function being 
a function wherein a variable giving a value of the 
function is difficult to be estimated from the value of 
the function; 40 
a step of outputting m sets of second conversion 
results, each /'-th of the m sets of second conver- 
sion results being obtained by processing an (/ • 1)- 
th of the m sets of first conversion results with a 
second nonlinear functran and first of the m sets of 45 
second conversion results being obtained by 
processing a second part of the external key with 
the second nonlinear function, the second nonlin- 
ear function being a function wherein a variable giv- 
ing a value of the function is difficult to be estimated so 
from the value of the function; and 
a step of outputting each y-th of m internal crypto- 
keys by combining a y-th of the m sets of first con- 
version results and an (m - j + 1)-th of the m sets of 
second conversion results according to a combin- ss 
ing function. ; being a positive integer not more than 
m, so that each bit of the /-th of the m internal 
crypto-keys has XOR logic of conresponding bits of 



the /-th of the m sets of first conversion results and 
the (m - y + 1)-th of the m sets of second conversion 
results, for example. 

[001 9] Each of the first nonlinear function and the sec- 
ond nonlinear function is preferably a one-way function 
wherein a variable giving a value of the one-way func- 
tion is substantially impossible to be estimated from the 
value of the one-way function. 
[0020} Therefore, by giving an external key of 2 rj bits, 
the apparatus of the invention can generates m sets of 
internal keys of n bite at once, that is. about n times 
faster than to generate the same number of internal 
keys by way of the pseudo-random-sequence generator 
of FIG. 5, wherein only an LSB is available at one dock. 
[0021] Further, even if a third party, who does not 
know the external key, might have succeeded to obtain 
a /f-th {k being 1 to m) internal key by some means, and 
to estimate a k-ih of the m sets of first conversion 
results and an (m • ^ + l)-th of the m sets of second 
conversion results, other internal keys can be protected 
from the third party with sufficient security 
[0022] The above method can be realized with an 
apparatus, for example, conprising: 

a one-way-function circuit for outputting a conver- 
sion result by processing an input bit sequence with 
a one-way function; 

a register for holding the conversion result output- 
ted from the one-way-function circuit and outputting 
the conversion result previously held in the register 
in synchronization with a clock signal: 
a selector for selecting either the external key or an 
output of the register according to a selection signal 
as the input bit sequence to be processed by the 
one-way-function circuit; 

a LIFO (l-ast-In-Rrst-Out) buffer vtrtierein conver- 
sion results output from the one-way-function circuit 
are stacked in synchronization with the clock signal 
when the UFO buffer is controlled in a writing 
mode, and the conversion results stacked in the 
UFO buffer are popped up in synchronization with 
the dock signal when the UFO buffer is controlled 
in a reading mode; and 

a combining circuit for outputting internal crypto- 
keys in synchronization with the dock signal by 
combining outputs of the LIFO buffer and the one- 
way-function circuit. 

[0023] In the above apparatus, the LIFO buffer is con- 
trdled in the writing mode for first m dock pulses after 
initialization. At the first one dock, the external key is 
selected by the seledor as the input bit sequence to be 
processed by the one-way-function circuit, and after- 
wards, the output of the register is selected, so that m 
sets of conversion results are stacked in the LIFO buffer. 
Then, the LIFO buffer is controlled In the reading mode 
for following m dock pulses, in order to generate m 
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internal crypto-keys by combining outputs of the one- 
way-function circuit and the LiFO buffer, dock by dock. 
[0024] The foregoing, further objects, features, and 
advantages of this invention will become apparent from 
a consideration of the fdtowing description, the 5 
appended claims, and. the accompanying drawings 
wherein the same numerals indicate the san^ or the 
con-esponding parts. 
[0025] In the drawings: 

FIG. 1 is functional block diagram illustrating an 
apparatus for generating internal crypto-keys 
according to a first embodiment of the invention; 
FIG. 2 is a functional block diagram illustrating the 
apparatus for generating the internal crypto-keys 
according to a second embodiment of the invention; 
FIG. 3 is a flowchart illustrating operational f bw of 
the second embodiment of FIG. 2; 
FIG. 4 is a functional block diagram illustrating a 
third embodiment of the invention; 
FIG. 5 is a block diagram illustrating a configuration 
example of a conventional pseudo-random- 
sequence generator: and 

FIG. 6 is a functional t>lock diagram illustrating a 
configuration example of a pseudo-random- 
sequence generator having a plurality of feecback- 
shifl-registers. 

[0026] Now, embodiments of the present invention will 
be described in connection with the drawings. 
[0027] FtG. 1 is a functional block diagram illustrating 
an apparatus for generating internal crypto-keys 
according to a first emt>odiment of the invention. 
[0028] Referring to FIG. 1 , the apparatus conprises a 
first cascade connection of a first to an m-th one-way- 
function drcurt 101 1 to 101^ a secor^ cascade con- 
nection of another first to another m-th one-way-func- 
tion circuit 1 02i to 102^ and a first to an m-th n-bit XOR 
drcuit 103i to 103^. 

[0029] Half n bits {upper half n bits, for exanple) of an 
external key-data of 2n bits are supplied to the first one- 
way-function circuit 1 01 1 of the first cascade connection 
through a first external -key input terminal 105, and the 
other n bits of the external key-data are supplied to the 
first one-way-function drcuit 102^ of the second cas- 
cade connection through a second external-key input 
terminal 107. 

[0030] In the first cascade connection, the first one- 
way-function drcuit 101 1 outputs a conversion result of 
n bits by processing the first half n-bit data of the exter- 
nal key with a first one-way function according to a first 
conversion parameter (public key) supplied through a 
first public-key input terminal 104, and each /-th (101/; / 
being 2 to m) of the second to the m-th one-way-func- 
tion drcuit outputs a conversion result of n bits by 
processing an output of the (/ - 1 )-th one-way-function 
circuit 101/.1 with the first one-way function according to 
the first conversion parameter. 



[0031 ] In the same way, the first one-way-functton dr- 
cuit 102i of the second cascade connection outputs a 
conversion result of /i bits by processing the other half 
n-bit data of the external key with a second one-way 
function according to a second conversion parameter 
(public key) supplied through a second pUblic-key input 
terminal 106, and each /-th (102/; / being 2 to m) of the 
second to the m-th one-way-function drcuit outputs a 
conversion result of n bits lay processing an output of 
the (/ - l)-th one-way-function drcuit 102/.i with the sec- 
ond one^fvay function according to the second conver- 
sion parameter, in the second cascade connection. 
[0032] Each /-th (i being 1 to m) of the first to m-th 
XOR drcuit 103t to 103„ calculates an XOR bit 
sequence of n bits to be output as an /-th internal key 
through conresponding one (108/) of a first to an m-th 
output terminal 108^ to 108^. from outputs of the /-th 
one-way-function drcuit 101/ of the first cascade con- 
nection ard the (m - / + 1)-th one-way-f unction circuit 
102;^/^^ of the second cascade connection, so that 
each bit of the XOR bit sequence has XOR logic of cor- 
responding two bits of outputs of the /-th one-way-func- 
tion circuit 101/ and the (m - /' + 1)-th one way-function 
drcuit 102 

[0033] The apparatus for generating internal crypto- 
keys of FIG. 1 according to the first embodiment is thus 
configured. Therefore, by giving an external key of Zn 
bits together with a first and a second conversion 
parameter (public key), the apparatus of FIG. 1 can gen- 
erates m sets of internal keys of n bits at once, that is, 
about n times faster than to generate the same number 
of internal keys by way of the pseudo-random^equence 
generator of FIG. 5, wherein only an LSB is available at 
one dock. 

[0034] Further, even if a third party, who does not 
know the external key, might have succeeded to obtain 
a k'Xh (/c being 1 to m) internal key output from the /c-th 
output terminal 108/f by some means, and to estimate 
outputs of the k-tn one-way-function circuit 101 /r of the 
first cascade connection and the (m - /r + 1 )-th one-way- 
function drcuit 1 02;„.^+-) , other internal keys can be pro- 
tected from the third party. 

[0035] This is because the third party cannot trace but 
outputs of the /f-th to the m-th one-way-function circuit 
1 01 to 1 01 ;„ of the first cascade connection and (m - k 
+ 1)-th to m-th one-way-function circuit of the second 
cascade connection according to characteristic of the 
one-way function, even if he night have obtained the 
outputs of the k-\h one-way-function circuit 10 V 
the (m - + l)-th one-way-function circuit 102;;,.jif+i. 
Therefore, the third party cannot obtain but either of two 
inputs of the first to the m-th XOR circuit 103i to 103^ 
except the /c-th XOR drcuit 103^, which makes hardly 
possible to estimate other internal keys for the tNrd 
party which knows neither the externa! key nor the inter- 
nal keys. 

[0036] Practically saying, it is very difficult for the third 
party to estimate the outputs of the /c-th one-way-func- 
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tion circuit 101 fc. and the (m - + 1)-th one-way-furtction 
circuit 102„.;f^i. even if he has succeeded to obtain the 
/t-th internal key. Therefore, even if more than one inter- 
nal keys be broken, it is impossible to estimate other 
internal keys. 

[0037] In the embodiment of FIG. 1, the same one- 
way-function circuits given with the same conversion 
parameter are described to be used in either of the first 
cascade connection or the second cascade connection. 
However, they rnay be different with each other and may 
be given different conversion parameters with each 
other in either or both of the first and the second cas- 
cade connection, or on the contrary, one-way-function 
circuits which process their input bit sequences with the 
same one-way-function may be applied to all the one- 
way-function circuits of the first and the second cascade 
connection, given with the same or different conversion 
parameters, 

[0038] The one-way-function circuits may be used 
cyclically 

[0039] FIQ. 2 is a functional block diagram illustrating 
the apparatus for generating the internal aypto-keys 
according to a second embodiment of the invention, 
having a first sub-generator comprising a first selector 
201, a first one-way-function circuit 101 and a first reg- 
ister 202, a second sub-generator comprising a second 
selector 205, a second one-way-function circuit 102 and 
a second register 204, a UFO (Last-In-First-Out) buffer 
203. and an XOR circuit 103. 
[0040] Each of the first and the second sub generator 
has a similar configuration to the pseudo-random- 
sequence generator of FIG. 5. 
[0041 ] Half n bits of all external key of 2n bits are input 
to the first selector 201 through a first external-key input 
input terminal 105 and the other /i bits of the external 
key are input to the second selector 205 through the 
secortd external-key input terminal 107. The first one- 
way-function circuit 101 outputs a conversion result of n 
bits by processing an n-bit output of the first selector 
201 with a first one-way function according to a first con- 
version parameter (public key) supplied through a first 
public-key input terminal 104. 
[0042] The first register 202 holds the conversion out- 
put of the first one-way-function circuit 101 and outputs 
previously held data of n bits to the first selector 201 in 
synchronization with a dock pulse CLK supplied 
through a clock terminal 210. 
[0043] The first selector 201 selects the n-bit output of 
the first register 202 when a selection signal SEL sup- 
plied through a selection signal input terminal 211 is at 
logic '1' and selects the first half n bits of the external 
key supplied through the first external-key input terminal 
105 when the selection signal SEL is at togic '0', as the 
n-bit output to be processed by the first one-way-func- 
tion circuit 101. 

[0044] In the same way, the second one-way-function 
circuit 102 outputs a conversion result of n bits by 
processing an n-bit output of the second selector 205 



with a second one-way function according to a second 
conversion parameter (public key) supplied through a 
second put)lic-key input terminal 106, The second regis- 
ter 204 holds the converekin output of the second one- 

5 way-function circuits 102 and outputs prevk)usly held 
data of n bits to the second selector 205, in synchroni- 
zation with the clock pulse CLK. The second selector 
205 selects the n-bit output of the second register 204 
when the selection signal SEL is at logic *1 * and selects 

10 the other n bits of the external key supplied through the 
second external-key input terminal 107 when the selec- 
tion signal SEL is at logic '0', as the n-bit output to be 
processed by the second one-way-function circuit 102. 
[0045] The LIFO buffer 203, comprising a memory 

15 and an address counter, initializes the address counter 
when the dock pulse CLK is supplied during a control 
signal CLR supplied through a control terminal 212 is at 
logic '0'. 

[0046] When the control signal CLR is at logrc '1 ' and 
20 a readAvrite signal R/W supplied through a read/write 
terminal 213 is at logic '0*. the LIFO buffer stores the n- 
bit output of the second one-way-function circuit 102 in 
synchronization with tiie clock pulse CLK at an address 
indicated by the address counter, incrementing the 
25 address counter, and the LIFO buffer outputs n-bil data 
of an address indicated by the address counter to tiie 
XOR circuit 108 in synchronization with the ctock pulse 
CLK decrementing the address counter, when both the 
read/write signal R/W and the control signal CLR are at 
30 logic 'V. 

[0047] The XOR circuit 103 calculates an XOR bit 
sequence of n bits to be output as an internal key 
through an output terminal 108. froni outputs of the first 
one-way-function drcuit 101 and the UFO buffer 203. 

35 so that each bit of the XOR bit sequence has XOR togic 
of con-esponding two bits of the n-bil outputs of the first 
one-way-function circuit 101 and the LIFO buffer 203. 
[0048] Now, referring to a flowchart of FIG. 3, opera- 
tion of the second embodiment of FIO. 2 is described. 

40 [0049] Supplying each half of an external key of 2n 
bits to respective one of the first and the second exter- 
nal-key input terminal 105 and 107. and the first and the 
second conversion parameters to the first and the sec- 
ond public-key input terminal 104 and 106, respectively. 

45 the control agnal CLR of logic '0' is supplied to the LIFO 
buffer 203 for initializing the LIFO buffer 203 with the 
first clock pulse CLK (at step 310). Then the LIFO buffer 
203 is controlled in a writing mode by turning the control 
signal CLR to logic '1' and supplying the readAwite sig- 

50 nal R/W of togic *0' (at step 320). 

[0050] then the second selector 205 is contrdled to 
select the half bits of the external key supplied through 
the second external-key input terminal 205 by supplying 
the selection signal SEL of logic '0', and one clock pulse 

55 CLK is supplied (at step 330) to the second register 204 
and the LIFO buffer 203. Then, turning the selection sig- 
nal to logic '1 ' for controlling the secxjnd selector 205 to 
select rj-bit outputs of the second register 204, and m ■ 
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1 dock putses CLK are sipplied to the second register 
204 and the LIFO buffer 203 (at step 340). 
10051 ) Thus, m sets of conversion results of /j bits of 
the second one-way-function circuit 102 are stored in 
the UFO buffer 203. s 
[0052] Then, the read/ write signal R/W is turned to 
logic 'V for controlling the LIFO buffer 203 into a reading 
mode (at step 350), and the selection signal SEL of 
logic '0' is supplied for controlfing the first selector 201 to 
select the other half of the external key supplied to the io 
first external-key input terminal 105 at the next clock 
pulse CLX (at step 360). 

[0053] Then, turning the selection signal SEL to logk; 
'1 ' for controlling the first selector 201 to select n-bH out- 
puts of the first register 202, m - 1 dock pulses CLK are is 
supplied to the first register 202 and the LIFO buffer 203 
(at step 370). 

[0054] Thus controlling the apparatus of FIG. 2, m 
sets of internal keys of n bits are output from the output 
terminal 108 in synchronization with the dock pulse 20 
CLK set by set at step 360 and step 370. and the inter- 
nal keys having the same security with the internal keys 
generated by the first embodiment of FIG, 1 can be 
obtained with a far sinpler configuration than the first 
embodiment and with only two times calculation time. ss 
[0055] FIG. 4 is a functional b>tock diagram illustrating 
a third embodiment of the invention. In the third embod- 
iment, a single n-bit external key is supplied to an exter- 
nal-key input terminal 405 together witii a conversion 
parameter supplied to a public-key input terminal 104. 30 
The LIFO buffer 203 is controlled in the writirig mode for 
the first m clock pulses CLK after initialization and the 
conversion results of a single one-way-function drcuit 
101 is buffered in the LIFO buffer 203, in a similar way 
witii tine second embodiment of FIG. 2. For the following 36 
m dock pulses CLK, the LIFO buffer 203 is set in the 
reading mode, and the output of the LIFO buffer 203 is 
XORed witii the conversion result of tiie one-way-func- 
tion drcuit 101 by tiie XOR circuit 103 clock by dock to 
be output as each of the m sets of the internal keys. 40 
[0056] As above described, the apparatus of FIG. 4 is 
equivalent to the apparatus of FIG. 2 on condition that 
the same n-bit external keys are supplied to the first and 
the second external-key input terminal 105 and 107, 
and the first and tiie second one-way-function drcuit <s 
101 and 102 output conversion results by processing 
the output of respective sdectors 201 and 205 with the 
same one-way function according to the same conver- 
sion parameters, in the second embodiment of FIG. 2. 
Therefore, duplicated explanation is omitted. so 
[0057] However, either or both the external key and 
the conversion parameter to be supplied to tiie third 
embodiment may be changed for tiie first m docks and 
for the following m clocks, of causa 
[0058] Accordingtothethird embodiment of FIG 4, ttie ss 
second one-way-function circuit 102. tiie second regis- 
ter 204 and tiie second selector 205 can be further 
economized compared to tiie second embodiment of 



FIG. 2. 

[0059] Heretofore, internal keys of n-ttt length are 
descrQ3ed to be generated from an external key of 2n- 
bits or n bits. However, when bit-length of the given 
external key is shorter, necessary nun*er of bits having 
any logic may be supplemented, or. a part of outputs of 
tiie output terminal 108 or the IO81 to 108;„ may be 
used as the internal keys, when bit-length of the 
required internal keys is shorter. Furtiier, the XOR dr- 
cuit 103, or 103i to 103m may be replaced with any 
appropriate combining functions. 
[0060] Still further, the one-way-function drcuits 101, 
102, 101 1 to 101;n, or 102i to 102/„ may be replaced 
with non-iinear function circuits when required security 
is not so high, on condition that inverse prediction is suf- 
fidentiy difficult in the non-finear function circuits. 

Claims 

1. A method of generating internal crypto-keys to be 
set as initial values in feedback registers of an 
pseudo-random-sequence generator of a stream 
dpher system from an external key; the method 
comprising: 

a step of outputting m sets of first conversion 
results, each of the m sets of first conver- 
sion results being obtained by processing an (/ 
- 1)-tii of the m sets of first conversion results 
with a first nonlinear function and a first of the 
m sets of first conversion results being 
obtained by processing a first part of tiie exter- 
nal key with tiie first nonlinear function, m 
tjeing a positive integer more than one, / being 
a positive integer more tiian one and not more 
than m. and the first nonlinear function being a 
function wherein a variable giving a value of tiie 
function is difficult to be estimated from the 
value of the function: 

a step of outputting m sets of second conver- 
sion results, each /-th of tiie m sets of second 
conversion results being obtained by process- 
ing an (/ - 1)-tii of the m sets of first conversion 
results with a second nonlinear function and a 
first of the m sets of second conversion results 
being obtained by processing a second part of 
the external key with tiie second nonlinear 
function, the second nonlinear function being a 
fundion wherein a variable giving a value of the 
fundk)n is diffk;ult to be estimated from the 
value of the function; and 
a step of outputting each y-th of m internal 
crypto-keys by combining an y-th of the m sets 
of first conversion results and an (m - / + 1)-th 
of the m sets of second conversion results 
according to a combining function, / being a 
positive integer not more than m. 
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A method of generating (nt^nal crypto-keys as tion circuit of the second cascade connection, y 
recited in claim 1 ; wherein at least one of the first being a positive integer not wore than m. 
nonlinear function and the second nonlinear func- 
tion is a one-way function wherein a variable giving 5, An apparatus for generating internal crypto*keys to 
a value of the one-way function is st^}stanlially 5 be set as initial values in feedback registers of an 
impossible to be estimated from the value of the pseudo-random-sequence generator of a stream 
one-way function. cipher system from an external key; the apparatus 

conprtstng: 



3. A method of generating internal crypto-keys as 
recited in daim 1 or 2 wherein each bit of the /-th of 10 
the m internal crypto-keys has XOR (eXdusive OR) 
logic of corresponding bits of the y-th of the m sets 

of first conversion results and the (m - / + l)-th of 
the m sets of second conversion results. 

IS 

4, An apparatus for generating internal crypto-keys to 
be set as initial values in feedback registers of an 
pseudo-randonvsequence generator of a stream 
cipher system from an external key; the apparatus 
conprising: so 

a first cascade connection of m one-way-func- 
tion circuits (101 1 to 101m). a ^irst one-way- 
function circuit (101 1) of the first cascade con- 
nection outputting a conversion result by 2s 
processing a first part of the external key with a 
first one-way-function and each /-th one-way- 
function circuit of the first cascade connection 
outputting a conversion result by processing an 
output of an {/ - 1 ) -th one-way-function circuit of 30 
the first cascade connection with the first one- 
way-function, m being a positive integer more 
than one, / being a positive irtteger more than 
one and not more than m, ar>d the first one- 
way-function being a function wherein a varia- ss 
ble giving a value of the function is sut>stantially 
impossible to be estimated from the value of 
the function; 

a second cascade connection of m one-way- 
function circirits (102i to 102n,), a first one- 4a 
way-function circuit (102i) of the second cas- 
cade connection outputting a conversion result 
by processing a second part of the external key 
with a second one-way-function and each /-th 
one-way-functkjn drcurt of the second cascade 45 
connection outputting a conversion result by 
processing an output of an (/ - 1)-th one-way- 
function circuit of the second cascade connec- 
tion with the second one-way-function, the sec- 
ond oneway-function being a function wherein so 
a variable giving a value of the function is sub- 
stantially impossible to be estimated from the 
value of the function; and 
m confining function (103i to 103^), each y-th 
of the m combining function outputting y-th of m ss 
internal crypto-keys t)y combining outputs of a 
y-th one-way-function drcuit of the first cascade 
connection and an (m • y + 1)-th one-way-func- 



a first oneway-function drcuit (101) for output- 
ting a conversion result by processing an input 
bit sequence with a first one-way function, the 
first one-way-function being a function wherein 
a variable giving a value of the function is sub- 
stantially impossible to be estinrtated from the 
value of the function; 

a first register (202) for holding the conversion 
result outputted from the first one-way-function 
drcuit (101) and outputting the conversion 
result previously heki in the first register (202) 
in synchronization with a dock signal; 
a first selector (201) for selecting either a first 
part of the external key or an output of the first 
register (202) according to a selection signal as 
the input bit sequence to be processed by the 
first one-way-function drcuit (101); 
a second one-way-function drcuit (102) for out- 
putting a conversion result by processing an 
input bit sequence with a second one-way 
function, tine second one-way-function being a 
function wherein a variable giving a value of the 
function is substantially impossible to be esti- 
mated from the value of the function; 
a second register (204) for holding the conver- 
sion result outputted from the second one-way- 
function drcuit (102) and outputting the conver- 
sion result previously hekd in the second regis- 
ter (204) in synchronization with the dock 
signal; 

a secortd selector (205) for selecting either a 
second part of the external key or an output of 
the second register (205) according to the 
selection signal as the input bit sequence to be 
processed by the second one-way-function cir- 
cuit (102); 

a LIFO {Last-In-l=1rst-0ut) buffer (203) wherein 
conversion results outputted from the second 
one-way-function circuit (102) are stacked in 
synchronization witti tiie dock signal when tiie 
LIFO buffer is controlled in a writing mode, and 
the conversion results stacked in the LIFO 
buffer (203) are popped up in synchronization 
with tiie dock dgnal when the LIFO buffer 
(203) is controlled in a reading mode; and 
a combining drcurt (103) for outputting internal 
crypto-keys in synchronization with the clock 
signal by comt^ning outputs of the LIFO buffer 
(203) and the first one-way-function circuit 
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(101). 

6. An apparatus for generating interna) crypto-Keys to 
be set as initial values in feedback registers of an 
pseudo-rardom-sequence generator of a stream s 
cipher system from an external key; the apparatus 
comprising: 

a one-way-function circuit (101) for outputting a 
conversion result by processing an Input bit io 
sequence with a one-way function, the one- 
way-function being a function wherein a varia- 
ble giving a value of the function is substantially 
impossible to be estimated from the value of 
the function; is 
a register (202) for holding the conversion 
result outputted from the one-way-function cir- 
cuit (101) and outputting the conversion result 
previously held in the register (202) in synchro- 
nization with a clock signal; 20 
a selector (201) for selecting either the external 
key or an output of the register (202) according 
to a selection signal as the input bit sequence 
to be processed by the one-way-function circuit 
(101); 25 
a LIFO buffer (203) wherein conversion results 
output from the one-way-function circuit (102) 
are stacked in synchronization with the clock 
signal when the LIFO buffer is controlled in a 
writing mode» and the conversion results 90 
stacked in the LIFO buffer (203) are popped up 
in synchronization with the clock signal when 
the UFO buffer (203) is controlled in a reading 
mode; and 

a combining circuit (103) for outputting internal 36 
crypto-keys in synchronization with (he clock 
signal by combining outputs of the LtFO buffer 
(203) and the one-way-function circuit (101). 

7. An apparatus for generating internal crypto-keys as 4o 
recited in claim 5; wherein each bit of an internal 
crypto-key output by the combining circuit has XOR 
logic of corresponding bits of outputs of the first 
one-way-function circuit (101) and the UFO buffer 
(203). 45 

8. An apparatus for generating internal crypto-keys as 
recited in daim 6: wherein each bit of an internal 
crypto-key output by the combining circuit has XOR 
logic of corresponding bits of outputs of the one- so 
way-function circurt (101) and the LIFO buffer (203). 



55 



8 



EF 0 913 964 A2 



FIG. ! 



104 -^^-o- 
105— -o- 



ONE-WAY 
FUNCTION 



1012 



ONE-WAY 
FUNCTION 



lOb 



ONE-WAY 
FUNCTION 



T 



lOlm-i 



ONE-WAY 
FUNCTION 



lOlffl 



ONE-WAY. 
FUNCTION 



106- 
107 



102i " 102« 



lOh ~ 101m 



ONE-WAY 
FUNCTION 



■102« 



108i 

/ 

103t 
IO82 



ONE-WAY 
FUNCTION 

— T" 

I 

I 
t 

1 



^ 1032 

-102m-t 



ONE-WAY 
FUNCTION 



1023 



108m-l 



ONE-WAY 
FUNCTION 



•103«-« 



-1022 



ONE-WAY 
FUNCTION 



108m 

f 

103« 



■102i 



9 



EP 0 913 964 A2 



FIG. 2 



i 



CLK 



2!! 

( 



SEL 



{> REGISTER 
202 



CLR 



213 



,R/W 



LIFO 
BUFFER 



203 



{> REGISTER 

T 

204 



105 



SELECTOR 



201 



ONE-WAY 
FUNCTION 



r 

101 



103 



102 

1 



ONE-WAY 
FUNCTION 



SELECTOR 



205 



107 



10 



EP0 913S84 A2 



FIG. 3 



( START ) 



INITIALIZE LIFO BUFFER 



SET LIFO BUFFER IN WRITING MODE 



CONTROLLING SECOND SELECTOR TO SELECT 
EXTERNAL KEY. SUPPLY ONE CLOCK 

I 

CONTROLLING SECOND SELECTOR TO SELECT 
REGISTER OUTPUT. SUPPLY m-l CLOCKS 



SET LIFO BUFFER IN READING MODE 



CONTROLLING FIRST SELECTOR TO SELECT 
EXTERNAL KEY. SUPPLY ONE CLOCK 



CONTROLLING FIRST SELECTOR TO SELECT 
REGISTER OUTPUT. SUPPLY m-l CLOCKS 



( END ) 



EP 0 913 964 A2 



FIG. 4 



210 211 



CLK 



SEL 



> REGISTER 



202 



rr 

19 L 



212 d}6 

Li 

LIFO 
BUFFER 

203 



212 213 
CLRl IR/W 



405 

i 



SELECTOR 



ONE-WAY 
FUNCTION 



lot 



'201 



108 



103 



12 



EP0 913 964 A2 



FIG. 5 PRIOR ART 



2tO 



211 



405 



CLK 



SEL 



SELECTOR 



> REGISTER 



T" 
202 



ONE-WAY 
FUNCTION 



n-1 



f 

101 



'201 



-104 



-o~-508 



FIG. 6 




13 



